CAB Forum bans WHOIS, Legal Opinions for Domain Validation

On August 1, a couple of new changes to the baseline requirements that govern the issuance of digital certificates went into effect. Certificate Authorities are no longer allowed to use methods #1 and #5 from section 3.2.2.4 to validate domain ownership. Or, put in laymen’s terms, CAs will no longer be allowed to use WHOIS look ups and legal opinion letters to validate ownership of a domain.

There’s a little bit to unpack here, so let’s start from the top with a quick refresher on the CAB Forum before we get into the actual substance of the changes.

The Certificate Authority/Browser Forum or CAB Forum serves as a de facto regulatory body for the digital certificate industry. Comprised Certificate Authorities and the major browsers, the Forum is responsible for determining the baseline requirements that govern certificate issuance.

The CAB Forum has been actively working to improve domain validation since around the Spring of 2015. As DigiCert’s Tim Hollebeek puts it:

Historically, the requirements around the mechanics of how [domain validation was] done were pretty vague and loose. Even worse, CAs were allowed to use “any other method” to validate control of the domain name, as long as they argued it was at least as secure as one of the listed methods. This left lots of room for CAs to cut corners on validation of certificates.

So, on August 5, 2016, Ballot 169 was passed. It officially removed the “any other methods” portion of the baseline requirements. It was hoped that some of the new technical steps that were added at the time would be used by the CAs, thus ensuring stronger validation, but most CAs opted not to implement these new methods and instead continued using older methods.

In response, in December of 2017 the CAB Forum again set out to strengthen domain validation, this time by eliminating a pair of older validation methods that have been deemed unsafe.

In February, Ballot 218 was passed. This ballot effectively eliminates two methods for domain validation: Method #1, WHOIS lookups and Method #5, Legal Opinion Letters. Both methods were amended so that they will no longer be usable by Certificate Authorities as of August 1, 2018.

Continuing to use WHOIS lookups or legal opinions to validate domain ownership will be considered mis-issuance and will be subject to revocation and/or distrust upon discovery.

Frankly, these changes shouldn’t be a major issue for most CAs. The WHOIS lookup was already in question as a result of the GDPR. Currently, ICANN and the Domain Registrar industry are wrestling with how to redact WHOIS, and whether it should be public at all. Rather than wait for a fix, the CAB Forum has moved ahead without WHOIS and similar looks-ups under Method #1, which also allowed for attestation letters and third-party databases that were never intended for domain validation in the first place.

Likewise, in the debate leading up to Ballot 218, there was very little evidence presented that CAs were even using Method #5, which allows attorneys and accountants to write letters asserting ownership of a given domain. The CAB Forum felt this was a subject that they were not especially qualified to evaluate.

It is worth noting that legal opinion letters are still useful for other kinds of validation, specifically as it relates to Organization and Extended Validation SSL certificates, but as a means for verifying domain ownership legal opinion letters are no longer allowed.

What methods may still be used to validate domain ownership?

Glad you asked! There are still a number of methods that can be used to validate domain ownership by a certificate authority. For a complete idea, I’d recommend you take a gander at the baseline requirements in full. But if you don’t feel like delving into 63 pages of legalese, here’s an abridged version:

Method #2 – A CA can confirm domain ownership by sending a random value via email, fax, SMS or snail mail and then receiving a confirming response using the random value.

Method #3 – A CA can confirm domain ownership by calling the registrant’s phone number and obtaining a response confirming the applicant’s request for validation.

Method #4 – A CA can confirm domain ownership by sending an email to one or more of the following pre-approved addresses:

Admin@Domain

Administrator@Domain

Webmaster@Domain

Hostmaster@Domain

Postmaster@Domain

Method #6 – A CA can confirm domain ownership by confirming an agreed-upon change to the website.

Method #7 – A CA can confirm domain ownership by confirming the presence of a random value in the website’s DNS CNAME, TXT or CAA record.

Method #8 – A CA can confirm domain ownership by confirming that the applicant controls an IP address.

Method #9 – A CA can confirm domain ownership by confirming the presence of a non-expired test certificate on the website.

Method #10 – A CA can confirm domain ownership by confirming the presence of a random value within a certificate at that domain, which is accessible by the CA via TLS over an authorized port.

Currently there is work being done at the CAB Forum to codify a requirement for CAs to publish the validation method used within the certificate details. The Forum hopes this will identify the most common validation methods in use while also helping to find mis-issuances.